Your hotel data is safe with us.
Security is not an afterthought at Sutahi. From ZATCA CSID key vaults to Saudi data residency, every architectural decision prioritizes the protection of your hotel operations data.
Security Certifications
Our compliance posture reflects the highest standards required for Saudi hospitality data processing.
SOC 2 Type II
In ProgressIn Progress — Target Q4 2026. Covers security, availability, and confidentiality trust service criteria.
PDPL Compliant
CompliantFull compliance with Saudi Personal Data Protection Law No. 151 of 2021 (effective Sept 2023).
ZATCA Phase 2 Certified
CertifiedFatoorah API integration certified by ZATCA for e-invoice clearance and reporting for Saudi hospitality.
ISO 27001
Target 2027Information Security Management System certification — Target 2027. Framework already adopted internally.
AES-256 Encryption
ActiveAll data at rest encrypted using AES-256. Encryption keys managed in isolated key management service.
TLS 1.3 In Transit
ActiveAll communication between clients and servers secured with TLS 1.3. Legacy TLS 1.0/1.1 disabled.
Built for Resilience
Our infrastructure is architected for the demands of 24/7 hotel operations in the Saudi market.
Saudi Arabia Region Hosting
Primary infrastructure hosted on AWS me-south-1 (Bahrain — nearest data-sovereign AWS region to KSA). No primary data leaves the GCC region.
99.9% Uptime Architecture
Multi-AZ deployment with automatic failover. Load-balanced application tier. Redis for session and caching. Zero single point of failure.
Daily Automated Backups
Full database snapshots daily. Transaction log backups every 15 minutes. Backups retained 30 days. Monthly backups retained 12 months. Cross-AZ backup replication.
Cloudflare DDoS Protection
All traffic proxied through Cloudflare. DDoS mitigation at network edge. Web Application Firewall (WAF) rules active. Rate limiting on all API endpoints.
R2 Object Storage
Files and media stored on Cloudflare R2 (S3-compatible). Data sovereignty preserved. No egress fees. Server-side encryption enabled by default.
24/7 Infrastructure Monitoring
Real-time alerting for CPU, memory, disk, and network anomalies. P99 latency monitoring. Automated incident escalation. Status page at status.sutahi.com.
How We Protect Your Data
Defense-in-depth — multiple layers of protection from the database to the browser.
Strict Multi-Tenant Isolation
Every query is scoped to company_id at the database level. It is architecturally impossible for one hotel's data to be accessed by another tenant.
Principle of Least Privilege
Role-based access control (RBAC) with Spatie Laravel Permission. Each employee role grants only the minimum access needed. Permissions are audited on every request.
Activity Audit Logging
Every state-changing operation (create, update, delete) logs the before/after state with timestamp and user identity. Audit logs are immutable and retained 90 days.
API Rate Limiting
Per-user and per-IP rate limits on all API endpoints. Burst protection for authentication endpoints. Automatic blocking of suspicious request patterns.
Security Headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy enforced on all responses. OWASP Top 10 mitigations applied.
Annual Penetration Testing
Independent third-party security assessment annually. Findings remediated within 30 days (critical: 72 hours). Summary report available to Enterprise customers on request.
Built for Saudi Hospitality
Additional security controls specific to the Saudi hotel industry regulatory environment.
ZATCA CSID Encrypted Vault
Each hotel's ZATCA Cryptographic Stamp Identifier (CSID) private key is stored in an isolated encrypted vault, separated from the main application database. The signing process runs in a dedicated service — keys are never written to logs, never returned in API responses, and never accessible to application-level code outside the signing context.
PCI DSS via Stripe & Tap
All payment card processing is delegated to PCI DSS Level 1 certified providers (Stripe and Tap Payments). Sutahi never stores raw card numbers — only tokenized references and transaction IDs.
Guest Data PDPL Protection
Hotel guest passport, Iqama, and personal data collected for government reporting (NTMP/Nusuk) is encrypted at field level, retained only as required by Saudi law, and never used for commercial purposes by Sutahi.
Invoice Hash Chain Integrity
ZATCA Phase 2 requires each e-invoice to cryptographically chain to the previous one. Sutahi enforces this hash chain at the database level, making retroactive invoice manipulation detectable and preventing tampering with fiscal records.
Found a Security Issue?
We welcome responsible security research. If you have discovered a potential vulnerability in Sutahi, please report it to us privately before public disclosure. We commit to:
- Acknowledge your report within 24 hours
- Provide regular status updates throughout remediation
- Remediate critical vulnerabilities within 72 hours
- Credit researchers in our security acknowledgements (with permission)
- Not pursue legal action for good-faith security research
Security Questions
Have security questions?
Our security team is happy to share documentation, answer compliance questions, and help you evaluate Sutahi for your enterprise requirements.